Law firm CMS has warned of regulatory overload as technology providers which supply services to financial services firms could be brought into scope of UK regulation.
The Financial Services and Markets Act 2023 created a regime which gave power to the Financial Conduct Authority, Prudential Regulation Authority and Bank of England to bring critical third party service providers into the scope of the regulatory perimeter for the first time.
These third-party suppliers provide a range of services to firms but one of the key things they provide is critical cloud-based services.
The regulators want to develop rulebooks for CTPs to “manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides".
CMS said this reflects a “significant and transformative shift” for CTPs but not for firms who appoint them.
Some firms that are already subject to regulation by one or more of the regulators may objectively meet the criteria for designation as a CTP.
However, the law firm said regulators are unlikely to recommend these firms for designation as CTPs if they are already subject to a level of supervision and oversight that delivers at least equivalent outcomes to this new regime.
“We expect that CTPs will include entities such as cloud providers, data processors and payment system providers, amongst others,” it said.
“CTPs will not be ‘firms’ but will have a quasi-regulatory status with their own body of rules.”
The regulators, as part of a joint consultation paper, have made it clear that this regime is about regulatory oversight of the infrastructure that supports the financial system and "is not a let up of the outsourcing" and third party risk management rules applicable to firms.
The framework
The proposed rules are drawn from sections of the existing regulation but they differ from the areas that were covered in a previous discussion paper.
CTPs would be subject to:
- fundamental rules that are drawn from the existing regulatory rules for firms
- operational resilience and mapping requirements that have been drawn from the existing regime
- requirements to have governance, change, cyber security, supply chain and risk management frameworks
- obligations to notify the regulators and firms in the event of certain incidents and incident management requirements
CMS said CTPs will need to grapple with implementation as they are expected to apply a proportionate and risk-based approach to these outcomes-based rules.
They have to take into account the nature, scale, and complexity of each CTP's services, and the potential impact of a disruption, failure, or breach of those services.
“Areas like the high level fundamental rules are not easy when it comes to practical steps,” CMS said.
“There is existing guidance but there is no clear definition of what the fundamental rules mean.”
The law firm said it may be a case of mapping and documenting systems and governance that are already in place by CTPs to demonstrate compliance.
For example, existing oversight over their supply chain and risk management frameworks.
However, in others, such as notifications, new processes will need to be embedded.
“CTPs may also need to review all of their own third party outsourcing arrangements to ensure that they accurately reflect their existing and new processes following the implementation of these rules,” the law firm added.
